OSSEC Active Response E-Mail Notifications

Here’s a very nice page that describes how to set up OSSEC active response e-mail notifications.

There’s one problem, though. In current OSSEC version 2.6 that configuration will leave you with AR rule, if once triggered, staying in loop forever. For example, if a common web attack is detected and you’ve configured OSSEC to respond with firewall drop AR, upon the timeout the offensive IP address will be deleted from the firewall configuration and re-added immediately after that. Thus, this cycle will continue endlessly.

To avoid this, do everything that page tells you to do, only modify your local_rules.xml to look like this (in bold is what helps avoid looping):

/var/ossec/rules/local_rules.xml

<!– rules to alert on active-responses
Example:
Sat May 7 03:27:57 CDT 2011 /var/ossec/active-response/bin/firewall-drop.sh delete – 120.101.70.54 1304756247.60385 31151
–>
<rule id=”100002″ level=”2″>
<if_sid>601</if_sid>
<decoded_as>ar_log</decoded_as>
<options>alert_by_email</options>
<group>active_response_notification</group>
<action>firewall-drop.sh</action>
<status>add</status>
<description>Active response firewall-drop.sh was run, host blocked</description>
</rule>

<rule id=”100003″ level=”2″>
<if_sid>602</if_sid>
<decoded_as>ar_log</decoded_as>
<options>alert_by_email</options>
<group>active_response_notification</group>
<action>firewall-drop.sh</action>
<status>delete</status>
<description>Active response firewall-drop.sh was run, host unblocked</description>
</rule>

<rule id=”100004″ level=”2″>
<if_sid>603</if_sid>
<decoded_as>ar_log</decoded_as>
<options>alert_by_email</options>
<group>active_response_notification</group>
<action>host-deny.sh</action>
<status>add</status>
<description>Active response host-deny.sh was run, host added to hosts.deny</description>
</rule>

<rule id=”100005″ level=”2″>
<if_sid>604</if_sid>
<decoded_as>ar_log</decoded_as>
<options>alert_by_email</options>
<group>active_response_notification</group>
<action>host-deny.sh</action>
<status>delete</status>
<description>Active response host-deny.sh was run, host removed from hosts.deny</description>
</rule>

<rule id=”100006″ level=”2″>
<if_sid>605</if_sid>
<decoded_as>ar_log</decoded_as>
<options>alert_by_email</options>
<group>active_response_notification</group>
<action>route-null.sh</action>
<status>add</status>
<description>Active response route-null.sh was run, host added to route null</description>
</rule>

<rule id=”100007″ level=”2″>
<if_sid>606</if_sid>
<decoded_as>ar_log</decoded_as>
<options>alert_by_email</options>
<group>active_response_notification</group>
<action>route-null.sh</action>
<status>delete</status>
<description>Active response route-null.sh was run, host removed from route null</description>
</rule>

</group>

If you grep for any of the <if_sid> … </if_sid>:

% grep 602 /var/ossec/rules/*

/var/ossec/rules/local_rules.xml: <if_sid>602</if_sid>
/var/ossec/rules/ossec_rules.xml: <rule id=”602″ level=”3″>

you will see that essentially we overwrite already existing rule id 602 located in ossec_rules.xml, which is a firewall delete AR action. So, local_rules.xml essentially sees if rule id 602 has been triggered, when this is the case, local rule id 100003 is triggered then which has <options>alert_by_email</options> to forcibly create e-mail notification.

That simple. Don’t forget about local_decoder.xml and ossec.conf described in ITSC Blog.

Advertisements

2 thoughts on “OSSEC Active Response E-Mail Notifications

    • Thanks for pointing that out. I’ve been trying to leave a comment to your original post but the comment system seemed broken. I just gave up on it and decided to write this post. Maybe you should look into why it doesn’t work, or works incorrectly, and if there were logged any attempts to leave a comment at all. All I saw in response was some obscure return code -1 and that’s it.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s